CVE-2013-0136

Published: Jun 1, 2013Modified: Apr 29, 2026

8.5

Vector

AV:N/AC:M/Au:S/C:C/I:C/A:C

Exploitability: 6.8 / Impact: 10.0

Source: NVD

Description

Multiple directory traversal vulnerabilities in the EditDocument servlet in the Frontend in Mutiny before 5.0-1.11 allow remote authenticated users to upload and execute arbitrary programs, read arbitrary files, or cause a denial of service (file deletion or renaming) via (1) the uploadPath parameter in an UPLOAD operation; the paths[] parameter in a (2) DELETE, (3) CUT, or (4) COPY operation; or the newPath parameter in a (5) CUT or (6) COPY operation.

Affected (4)

Products: Mutiny: Mutiny, Mutiny Appliance, Mutiny Virtual Appliance

3 products

Mutiny Appliance

Mutiny Virtual Appliance

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Mutiny Mutiny	Up to 5.0-1.10
Mutiny Mutiny	Version 5.0-1.00
Mutiny Mutiny Appliance	All versions
Mutiny Mutiny Virtual Appliance	All versions

Related CWEs

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (4)

http://www.kb.cert.org/vuls/id/701572

Source: cret@cert.org

US Government Resource

https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities

Source: cret@cert.org

Exploit

http://www.kb.cert.org/vuls/id/701572

Source: af854a3a-2127-422b-91ae-364da2661108

US Government Resource

https://community.rapid7.com/community/metasploit/blog/2013/05/15/new-1day-exploits-mutiny-vulnerabilities

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

Timeline

No history available yet.